As part of TokenScript implementation, it is important that we can intercept and potentially block HTTP requests against a whitelist.

I couldn't find a way to intercept HTTP requests natively on iOS. There is a way that apparently works. But I'm not sure if it's good. It is to swap out the system function prototype (XMLHttpRequest.send()) that supports the HTTP call, hold a reference to it and delegate to it if the URL is in the whitelist. It feels hackish and we don't know if it's secure enough. I'll sleep on it a bit and maybe get a hint of how to do it better in my dreams.

Feel free to think about it or comment please or recommend a better way.

Ok, we can use content blocking rules on iOS for this instead of the JavaScript hack described above. It's not programmatic, but fully declarative, so there would be limitations. But It'll help to accomplish 2 goals by blocking everything by default and allow a list of URL patterns to go through:

Prevent loading of remote images/scripts

Whitelist a list of APIs that are accessible (same thing for scripts, if we want to support that)